Privacy Policy for Braintrust Nexus

This Privacy Policy outlines how Braintrust Nexus ("we," "our," or "us"), a product of Freelance Labs Inc. operating as Braintrust, collects, uses, discloses, and protects personal information when users ("you" or "your") access or use our AI-powered workflow automation platform and related services (collectively, the "Service").

Braintrust Nexus builds custom AI agents and automated workflows that connect to the tools and services you already use — from recruiting and revenue operations to onboarding and customer service. The Service integrates with hundreds of third-party platforms via authenticated API connections to deliver its functionality.

By using the Service, you consent to the practices described in this Privacy Policy.

Customer & User Data

• Contact Information: Name, email address, and company name.
• Account Credentials: Username and password for accessing the Service, or authentication tokens when signing in via a supported identity provider.
• Professional Information: Job title, employer details, and workflow configuration preferences.
• Payment Information: Billing address and payment method details.
• Usage Data: Information about how you interact with the Service, such as IP addresses, browser types, access times, features used, and pages viewed.

Workflow & Operational Data

• Workflow Configuration: The integrations, triggers, actions, and logic you define when building workflows in Nexus.
• Execution Logs: Records of workflow runs, including timestamps, success/failure status, and error details.

Data from Connected Integrations

When you authorize Nexus to connect with third-party services, we may access the following categories of information depending on the integration and permissions you grant:

• Authentication & Identity: Basic profile information (name, email address, profile photo) from identity providers for account creation and authentication.
• Calendar & Scheduling: Calendar availability and event time slots (free/busy status) from connected calendar services to coordinate scheduling within workflows.
• Email & Messaging: The ability to send messages on your behalf through connected email or messaging providers as part of automated workflows. We do not read, scan, or access the contents of your inbox or existing messages.
• CRM & Business Tools: Records and fields from connected CRM, ATS, or productivity tools that your workflows are configured to read or update.

We use the collected information for the following purposes:

• Providing and Improving the Service: To operate, maintain, and enhance the Service's functionality, including AI-powered workflow automation, agent execution, and integration management.
• Authentication & Account Management: To manage user access via direct login or supported identity providers, prevent unauthorized access, and enforce security protocols.
• Workflow Execution: To execute the automated workflows you configure, including reading from and writing to connected third-party services on your behalf.
• Communication: To send administrative updates, security notifications, and provide customer support.
• System Analytics & Performance: To monitor service uptime, detect anomalies, and improve platform performance.
• Billing and Payments: To process transactions and manage subscriptions.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

Nexus connects to hundreds of third-party services via authenticated APIs. Our use and transfer of information received from these APIs adheres to each provider's applicable data policies and terms of service.

Where providers mandate specific data use restrictions, Nexus fully complies. For example, Nexus's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We apply the following principles uniformly to data received from all connected integrations:

• We only use data obtained from third-party APIs to provide or improve user-facing features that are prominent in Nexus's user interface.
• We do not transfer integration data to unrelated third parties except as necessary to provide or improve user-facing features, for security purposes, to comply with applicable laws, or as part of a merger/acquisition/asset sale with explicit user consent.
• We do not use integration data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read integration data unless: (a) you have given affirmative consent to view specific data, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.

You can disconnect any integration and revoke Nexus's access at any time through your account settings or through the connected service's permissions page.

Nexus only accesses the specific data types and permissions you have authorized for each connected integration. For clarity, Nexus does not:

• Read the content or body of your existing emails or messages unless your workflow explicitly requires it
• Scan your inbox, sent mail, or draft messages
• Access the title, description, attendees, or content of calendar events beyond free/busy availability
• Access files, documents, or storage services unless your workflow explicitly requires it
• Access contacts or address books beyond what is provided through authentication
• Access any data beyond the specific scopes you have authorized for each integration

We do not sell or rent your Personal Information to third parties. We may share your information in the following limited circumstances:

• Authorized Service Providers: With third-party vendors who perform services on our behalf, such as cloud infrastructure, payment processing, and analytics. All service providers are bound by data processing agreements and must adhere to confidentiality obligations.
• Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets, with prior user notification.
• Legal Obligations: If required by law, subpoena, or government request, or to protect users, platform integrity, or intellectual property.

Data received through third-party API integrations is handled in accordance with the applicable provider's data policies and is never transferred to unrelated third parties for advertising, data brokering, or purposes unrelated to Nexus's core functionality.

We implement industry-standard security measures to protect your Personal Information from unauthorized access, disclosure, alteration, or destruction:

• Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access Control: Role-based access control (RBAC) ensures only authorized personnel can access sensitive data. Integration credentials and API tokens are stored encrypted and are scoped to the minimum permissions required.
• Audit Logging & Monitoring: Continuous security monitoring detects unauthorized activity or system anomalies.
• Token Management: OAuth refresh tokens and API credentials are stored securely, rotated as required, and immediately revoked when you disconnect an integration.
• Incident Response: Documented procedures for breach detection, mitigation, and notification.

User Responsibilities: You must protect your login credentials and notify Braintrust immediately if unauthorized access is suspected.

We retain your Personal Information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained while your account is active, plus a reasonable period for backup and legal compliance after deletion.
• Integration Data: Data received from connected services is retained only for the duration needed to execute your workflows and maintain execution logs. We do not maintain long-term archives of third-party integration data beyond what is needed for your configured workflows.
• Workflow Execution Logs: Retained according to your account settings, subject to applicable data protection laws.

When you disconnect an integration or delete your account, associated credentials and cached integration data are purged from our systems within 30 days.

Depending on your jurisdiction, you may have the following rights regarding your Personal Information:

• Access: Request access to the Personal Information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your Personal Information, subject to certain legal exceptions.
• Portability: Request a copy of your data in a portable format.
• Objection: Object to the processing of your Personal Information under certain circumstances.
• Disconnect Integrations: Disconnect any connected service from Nexus at any time through your account settings or through the provider's own permissions management.

To exercise these rights, please contact us at privacy@usebraintrust.com.

The Service is not intended for individuals under the age of 18. We do not knowingly collect Personal Information from children under 18. If we become aware that we have inadvertently collected such information, we will take steps to delete it.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@usebraintrust.com.

EU Representative under Article 27 GDPR

Freelance Labs Inc. has appointed Prighter Group, with its local partners, as our privacy representative and point of contact for data protection matters in the European Union.

If you are located in the EU and wish to exercise your data protection rights, please visit:
https://app.prighter.com/portal/13563441204

Or contact them by mail at:
Prighter GmbH
Köstlergasse 1/6
1060 Vienna, Austria

Please include our company name, Freelance Labs Inc., in any communication.